Renewing that pesky “Microsoft Exchange” certificate

 

You know the one I am taking about. The self-signed certificate with a friendly name of “Microsoft Exchange” that each server issues by itself to itself. They are valid for 5 years , then suddenly, they are not. When on-premises was king, you rarely saw any questions about these. They just worked – and as companies upgraded, new ones were created on the new version servers, mailboxes were moved and the old certificates disappeared as the servers were retired.

Today, as more migrate to Exchange Online, these old 2010/2013 servers seem to be kept around longer during the migration,  frozen in time and are now bumping into that 5 year certificate lifetime.

So why renew it? It doesn’t appear to be doing anything. Well Sir or Madam, that is the certificate bound to the “Exchange Back End”  IIS site and essentially secures all the internal communications. 

undefined

If it expires, you could start experiencing the following side effects:

Dizziness

Dry Mouth

Exchange Powershell errors

Inability to open EAC

Errors in the event logs such as :

event log errors

See that :444? That’s the backed port number 

 

To fix: 

First, simply renew the certificate. You can do this in Powershell or EAC by highlighting the “Microsoft Exchange” certificate and clicking Renew.

Second, you’ll want the server itself to trust this new self-signed certificate. Nicely enough, the original Exchange setup program does this for you. When you renew the self-signed certificate, not so much. Once that new certificate is created, open MMC and add the Certificates snap-in on that server. From there, choose the “Computer Account” and then “Local Computer”. 

Copy the new certificate from Personal/Certificates to Trusted Root Certificate Authorities/Certificates. If you access the properties on the new certificate and go to the “Certification Path” tab, it should show as OK.

Third, add the new certificate to the Back-end Binding and run IISRESET.

From the article I first linked above. Do the following:

 

  • Start IIS Manager on the Mailbox Server.
  • Expand Site, highlight Exchange Back End, and select Bindings from the Actions pane in the right side column.
  • Select Type https on Port 444.
  • Click Edit and select the Microsoft Exchange certificate.
  • From an administrator command prompt, run IISReset. ( Do this off-hours if this a standalone Exchange Server. If you are using a DAG, then move all the databases to other servers and have at it)

 

You’ll go from this:

PickCertBindings

To this:

BackEndUpdated

You are done for another 5 years. 

 

 

 

 

 

Published by adavid6

Grumpy Old Exchange MVP. My old site was lost: https://web.archive.org/web/20180307110652/http://no-one-uses-email-anymore.com/ I have been an Exchange MVP since 2002. I also had the honor of naming “You had me at EHLO” for the Exchange Product Group Blog way back in the early 2000s. I attempt to answer forum questions on TechNet: https://social.technet.microsoft.com/profile/andy%20david/ and can be found on Twitter: https://twitter.com/adavid6 Reddit: https://www.reddit.com/user/adavid1608 Microsoft Tech Community: https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/86

One thought on “Renewing that pesky “Microsoft Exchange” certificate

  1. Absolutely perfect article, I spoke to MS twice to ensure I didn’t create an outage, sure enough their process was way off. I followed the above article and it worked perfectly. Thank you!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: